YaBB Shadow BBCode Tag XSS

This script is Copyright (C) 2004-2012 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a CGI application that is prone to
cross-site scripting attacks.

Description :

The remote host is using the YaBB web forum software.

According to its version number, the remote version of this software
is vulnerable to JavaScript injection issues using shadow or glow
tags. This may allow an attacker to inject hostile JavaScript into
the forum system, to steal cookie credentials or misrepresent site
content. When the form is submitted the malicious JavaScript will be
incorporated into dynamically-generated content.

See also :

http://www.yabbforum.com/archives.php?currentpage=7

Solution :

Upgrade to YaBB 1 Gold SP 1.4 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 15859 ()

Bugtraq ID: 11764

CVE ID: